A point-of-sale data breach allegedly discovered a month ago and just now admitted, exposed two million credit cards belonging to diners of Earl Enterprises restaurants.
KrebsOnSecurity says he contacted the Italian restaurant chain that owns Buca di Beppo, Earl of Sandwich, Planet Hollywood and other restaurant brands, on 21 February, 2019, after finding evidence that the stolen payment cards were being sold on cyber-crime underground sites.
On 29 March, Earl Enterprises officially announced the breach.
"Once we learned of a potential incident, we promptly launched an internal investigation and engaged two leading cyber-security firms," the company said in the statement. "As part of the investigation, we have been in contact with federal law enforcement officials and are cooperating with them."
Although the dates vary by location, customers who used their payment cards at the affected locations between May 23, 2018 and March 18, 2019 may have had their information compromised.
Virtually all 67 Buca di Beppo locations in the United States; some of the 31 Earl of Sandwich locations; and Planet Hollywood locations in Las Vegas, New York City and Orlando were affected along with Tequila Taqueria in Las Vegas; Chicken Guy! in Disney Springs, Fla.; and Mixology in Los Angeles.
Commenting on the report, Ryan Wilk, VP at NuData Security, a Mastercard Company said: "The two million cards on sale on the dark web would indicate this was a very successful project for the cyber-criminals involved, and one which is likely to be incredibly profitable. POS-malware breaches happen in the US with alarming regularity, and businesses should be well aware that they need to not only protect their central networks but also need to account for physical locations as well.
"For those affected, they should keep an eye on their bank accounts for any unusual activity. Moving forward, financial institutions should consider implementing a system of two-factor authentication in conjunction with a passive biometric solutions in order to mitigate the entirely avoidable outcomes of security incidents such as this."
For Jonathan Deveaux, head of enterprise data protection at comforte AG, the solution is tokenisation, as he described in an email SC Media UK saying: "Data security tokenisation allows organisations to remove the actual credit card or debit card number (aka PAN or Primary Account Number) from their databases and files. As a result, if an attacker steals the data from databases or files, the data is worthless to them because they took tokenised data instead of the original PANs."
He adds that retailers, "..can also look at deploying security tokenisation. Depending on how the network of servers are set up at retailers and merchants service providers, there may be a local server configured at each site, where the PoS devices for that store connect. The local server then connects to the central server in a data center located somewhere else. Security tokenisation can be extended to secure card data on these local servers, thus protecting PANs in cases where hackers and bad actors target specific locations to install credit-card stealing malware."
An earlier version of this article was originally published on SC Media US.